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The invention relates to a method 
of analyzing a state based system model 
comprising a set of machines (Ml, .., Mn), 
said machines each comprising at least one 
possible state (pSIMi, ... pSkMi), each 
machine being in one of its comprised 
states at any given time, the dynamic 
behavior of said machines (Ml, ,., Mn) 
being defined by predefined transitions 
between said states of each machine (Ml, 
.., Mn) and dependencies (D) between said 
machines (Ml, .., Mn). One of many 
important advantages of the invention is 
that many analyses of real-life state based 
system models can be performed without 
evaluation of a considerable amount of 
machines in the system model. 
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A METHOD AND AN APPARATUS FOR ANALYZING A STATE BASED SYSTEM MODEL 

Field of the art 

The invention relates to a method of analyzing a state 
5 based system model comprising a set of machines as stated 
in the independent claims 1, 11 and 29. 

Background of the invention 

When considering the fact that many product segments of 
10 the market tend to comprise an increasing amount of em- 
bedded software, and as the products within said segments 
tend to be differentiated more and more only by the per- 
forming differences of the embedded software rather than 
the utilized hardware, the future demands of software de- 
15 signs in general will very great with respect to both 
fault recognition and elimination and short-term develop- 
ment deadlines . 

One of many examples of relevance may be within the auto- 
20 motive industry. Even mass-produced cars tend to comprise 
an increasing number of dedicated microprocessors. The 
microprocessors may, e.g., be dedicated to control ABS, 
fuel injection, light control, different kinds of moni- 
toring, heat control, security systems, etc., and many 
25 of the different subsystems will often have to be con- 
trolled by a common protocol. 

It is evident that the large scale appearance of soft- 
ware-controlled units will cause increasing troubles to 
30 the system designers, as it may be difficult to overview 
every aspect of the possible state of each unit, and of 
course it may be even more complicated to keep track of 
the synergy between all the subsystems utilized. A fur- 
ther difficulty which should be mentioned is that most of 
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the subsystems will be designed by different developers 
or groups of such, and that the interfaces between such 
subsystems may be difficult to control as no effective 
tools can be provided to the developers for the necessary 
5 analyses of such large-scale systems together or even in 
every single unit. 

This may cause expensive and crucial delays with respect 
to the duration of the product development and releasing. 
10 It is even more crucial that some products may even be 
put on the market with inherent hidden errors which under 
certain unknown conditions, may be triggered and come to 
light. 

15 This problem is of course really serious in safety criti- 
cal systems where a defect or fault may even cause injury 
to persons affected by such a defect. 

One way of testing such types of products is to check the 
20 logic design prior to the fabrication of a device through 
symbolic model checking. The technique has turned out to 
be very efficient for analyses and verification of hard- 
ware systems. However, it has not been clear whether 
model checking is an effective tool for other types of 
25 concurrent systems such as e.g. software systems. 

One reason why symbolic model checking may not be as ef- 
ficient is that software systems tend to be both larger 
and less regularly structured than hardware. For example, 
30 many of the results reported for verifying large hardware 
systems have been for linear structures like stacks or 
pipelines, for which it is known that the size of the 
transition relation when represented as a so-called 
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ROBDD, Reduced Ordered Binary Decision Diagrams, grows 
linearly with the size of the system. 

Another approach to this is described in US patent no. 
5 5,465,216 in which a method of automatic design verifica- 
tion is described. The described method basically accepts 
the fact that the formal verification suffers from a de- 
ficiency of "the state explosion problem", and further- 
more concludes that formal verification of very large 

10 systems are beyond the capabilities of -the current formal 
verification techniques. Hence, the above-mentioned pat- 
ent describes a way of decomposing and reducing the sys- 
tem model instead of dealing with the verification 
method. Consequently, a drawback of the described method 

15 is that the possibly obtainable results will only be par- 
tial and non- exhaustive. 

A more promising technique, based on the above-mentioned 
ROBDDs, which also exploits the structure of the system 
20 is presented in W. Lee et al., Tearing based automatic 
abstraction for CTL model checking, 1996 IEEE /ACM Inter- 
national Conference on Computer-Aided Design, pages 7 6- 
81, San Jose, CA, 1996 IEEE Comput . Soc. Press. This 
technique uses a partitioned transition relation, and a 
25 greedy heuristic is used to select subsets of the transi- 
tion relation. For each chosen subset, a complete fixed- 
point iteration is performed. If the formula cannot be 
proven after this iteration, a larger subset is chosen. 
In case of an invalid formula the algorithm only termi- 
30 nates when the full transition relation has been con- 
structed (or memory or time has been exhausted) . A draw- 
back of the technique is that it uses a greedy strategy 
involving a fixed-point iteration for each of the re- 
maining machines. If the system only has a single initial 
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state, as in typical in embedded software systems. The 
greedy strategy reduces to selecting an arbitrary ma- 
chine, thus involving extraneous fixed-point iterations. 

5 . The present invention meets the requirement of both a 
formal verification and a use of an unreduced system 
model and provides the possibility of performing theo- 
retical model "crash tests" in even very large-scale 
state based system models. Moreover, analyses and verifi- 
10 cation of the said models can be achieved in non-reduced 
models at a much higher rate than prior art analyses and 
verification tools. 

Summary of the invention 

15 

When the method of analyzing a state based system model 
comprises a set of machines (Ml,..,Mn), said machines 
each comprising at least one possible state 

(pSIMi, ...,pSkMi) each machine being in one of its com- 
20 prised states at any given time, 

the dynamic behavior of said machines (Ml, ..,Mn) being 
defined by predefined transitions between said states of 
each machine (Ml,..,Mn) and dependencies (D) between said 
25 machines (Ml,..,Mn), 

initiating an initial set of at least one machine state 
(F) of said machines (Ml,..,Mn) 

30 initiating a goal set of machine states (A) representing 
a condition on states of a subset of machines (MI), and 
repeating the following steps until the analyzing has 
terminated positively and/or if the subset of machines 
(MI) comprises all of said machines (Ml,..,Mn) 
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expanding the goal set (A) with a set of states which via 
transitions can be brought into the previous goal set (A) 
independently of machines not included in (MI) , 
5 if (A) comprises at least one of the set of states in the 
initial set of states (F) then terminating positively, 
otherwise expanding the subset of machines (MI) with at 
least a subset of the machines (Ml,..,Mn). 

10 it is possible to obtain a very fast analysis of a state 
based system model. 

Thus, according to the above, the invention deals with a 
dynamic expansion of a given investigated set of possible 
15 states A in a state based system model with the states 
within the currently investigated machine or set of ma- 
chines . When the possible states A cannot be expanded any 
more, i.e. all states in the investigated machines are 
possible, or when the rest of the states are only possi- 
20 ble if certain conditions in other machines is fulfilled, 
the number of investigated machines is increased and the 
set of possible states is expanded. This iterative proc- 
ess may continue until certain results are obtained. A 
desired result could for instance be a verification that 
25 a given machine state can be brought into the set of pos- 
sible initial states A. 

Specifically, the invention provides an accurate result 
when performing so-called reachability check, i.e. when 
30 verifying that a set of initial machine states can be 
brought into certain desired or undesired conditions. 



WO 99/50746 



5 



PCT/DK99/00178 
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more, i.e. all states in the investigated machines are 
possible, or when the rest of the states are only possi- 
20 ble if certain conditions in other machines is fulfilled, 
the number of investigated machines is increased and the 
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ess may continue until certain results are obtained. A 
desired result could for instance be a verification that 
25 a given machine state can be brought into the set of pos- 
sible initial states A. 
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when performing so-called reachability check, i.e. when 
30 verifying that a set of initial machine states can be 
brought into certain desired or undesired conditions. 
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Experimental results have shown that typical so-called 
reachability checks according to the invention can be 
performed considerably faster than prior art methods. 

5 Moreover, according to the invention, it is now possible 
to analyze and verify system models comprising an ex- 
tremely large number of machines, as no full calculation 
of all possible global state vectors has to be deter- 
mined. This important aspect increases the possibility of 
10 creating very large state based systems, as a true model 
of the system can now be established and analyzed com- 
pletely before marketing of the product, thus eliminating 
the risk of bringing products on the market with inherent 
hidden errors . 

15 

As many product segments of the market tend to comprise 
an increasing amount of embedded software, and as the 
products within said segments tend to be differentiated 
more and more only by the performing differences of the 
20 embedded software rather than the utilized hardware, the 
future demands of software designs in general will be 
very great with respect to both the above mentioned fault 
recognition and elimination and the short-termed develop- 
ment deadlines. 

25 

The invention meets the requirement of such a tendency, 
as the invention provides the possibility of performing 
theoretical model "crash tests" in even very large-scale 
state based system models, and moreover analysis and 
30 verification of the said models can be achieved in non- 
reduced models at much higher rate than prior art analy- 
ses and verification tools. 
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It should be noted that the type of test criteria estab- 
lished may vary widely within the scope of the invention. 
Examples of this could be a verification, an indication 
of potential dead-lock or, if necessary, a specific and 
5 accurate detection of such a dead-lock. 

A further advantageous feature of the invention is that 
the basic compositional structure of step by step expand- 
ing the previous search result makes it possible to reuse 
10 previously obtained analysis results. Thus, even if a 
complete investigation of all machines in a system model 
would become necessary, much will be gained, as no unnec- 
essary, calculations will have to be made during the ongo- 
ing analyses. 

15 

Due to an acknowledgment of a central monotonicity re- 
sults the previously computed portion of the state space 
can be reused instead of having to start from scratch 
each time a new machine is added as in known techniques. 

20 

Even when all machines are needed, experiments have shown 
that the inventive method of including machines one at a 
time, i.e. exploiting the monotonicity property, is 
faster than performing a so called traditional fixed- 
25 point iteration using a partitioned transition relation 
and early variable quantification. 

In situations where a system model is analysed for 
reachability with respect to large sequence of goal 
30 sets, (Al) , . (An) , it may be advantageous for the 
later reachability problems to reuse already computed 
results from the earlier problems. In particular, in 
the backwards expansion from goal set (Ai) early posi- 
tive termination may be made at any stage, where the cur- 
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rent expansion of the goal set (Ai) fully contains a pre- 
vious goal set (Aj ) (j<i) for which a positive result 
has already been obtained. 

5 It should be emphasized that the invention has no re- 
strictions with respect to the way of defining the system 
"components". The invention is for instance not re- 
stricted to simple so-called flat state system models. 
According to the invention a system may e.g. be defined 

10 as a hierarchical state event system comprising hierar- 
chical machines and/or hierarchical states. Bearing this 
in mind, the invention is preferably advantageously per- 
formed in a flat system model, which means that hierar- 
chical systems should preferably be transformed into flat 

15 models before an analysis according to the invention is 
initiated. 

According to the invention, states in a system model may, 
e.g., comprise discrete observations, values of program- 

20 ming variables or registers or latches of a sequential 
circuit, observations of continuous and time-dependent 
functions such as temperature, time, speed, altitude, po- 
sition. Moreover, as mentioned above, states may them- 
selves be system models providing so-called hierarchical 

25 system models. 

Dependencies are derived from conditions on transitions 
on other machines in the system model. 

30 Conditions on transitions are either conditions on the 
current state of other machines in the system model or 
conditions on the current state of the environment of the 
system model 
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Moreover, it should be noted that variations of the ex- 
pansion criteria or termination conditions may be appli- 
cable within the scope of the invention. 

5 When the step of expanding (MI) with at least a subset of 
the machines (Ml,..,Mn) comprises an expansion of (MI) 
with at least a subset of machines upon which the previ- 
ous (MI) depends, a very advantageous expansion of MI has 
been obtained. 

10 

The invention performs an analysis of a given system 
model by incorporating only the machines necessary for 
the current purpose, i.e. only the machines on which the 
current evaluated transitions are dependent. 

15 

Thus, according to a very preferred embodiment of the in- 
vention the expansion of the current investigated MI with 
machines outside MI should be made, considering that ma- 
chines without dependencies on the unexpanded set of ma- 
20 chines MI would currently provide no further information. 
Thus, according to the above, preferred embodiment of the 
invention, the expansion of the investigated set of ma- 
chines MI is optimized with only the immediately neces- 
sary machines. As many analyses of real-life applications 
25 can be performed without evaluation of a considerable 
amount of machines in a system model, an extremely valu- 
able analysis method can be obtained. 

It will be appreciated that analyses of large-scale sys- 
30 tem models will benefit even more from this important 
' feature, as the necessary evaluated space of the system 
model may be reduced considerably and a great number of 
evaluations may be avoided. 
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An important aspect of the above mentioned dynamic ongo- 
ing expansion is that a usable result, when analyzing 
very large scale system models, can only be obtained when 
considering the dependencies, as described above. Pilot 
5 test have in. fact shown that almost impossible verifica- 
tions in prior art systems can now be performed using 
modest resources on a standard PC. 

A further important aspect of the invention is that the 
10 difficulties of analyzing reduced state based system mod- 
els may be eliminated or reduced significantly, as the 
invention can deal with unreduced system models. It 
should be noted that the invention may be regarded as a 
dynamically reduced system model, wherein only the abso- 
15 luteiy necessary system model machines are dynamically 
determined and investigated Thus, the invention benefits 
from the empirically shown general behavior of state 
based system models, namely that possible real-life 
analyses or verifications will only affect a part of all 
20 the system model machines. 

Basically, it should be noted that transitions between 
machine states in a given machine are restricted only by 
the dependencies associated with the specific transi- 
25 tions. Hence, the present method according to the inven- 
tion requires that a transition without dependencies may 
be triggered by an event at any given time. 

It is evident that, if conditions do in fact exist on the 
30 above-mentioned events, they should be incorporated into 
the system model, if necessary. 

The above-mentioned advantageous embodiment of the inven- 
tion benefits from the structure of a state-based system 



WO 99/50746 



11 



PCT/DK99/00178 



model, as it deals with the fact that transitions are ba- 
sically characterized in two dif f erent • ways . Some transi- 
tions may be fired unconditional, as they may only be de- 
pendent on certain known and always possible events, 
5 while the other transitions are bound by certain condi- 
tions or dependencies to other machines. 

Thus, according to the above embodiment, the invention 
deals with a dynamic expansion of a given investigated 
10 set of possible states A in a state based system model 
with the states within the currently investigated machine 
or set of machines. When the possible states A cannot be 
expanded any more, i.e. all states in the investigated 
machines are possible, or when the rest of the states are 
15 only possible if certain conditions in other machines are 
fulfilled, the number of investigated machines is in- 
creased and the set of possible states is expanded. Ac- 
cording to the present embodiment it should be noted that 
the expansion only concerns the machines or some of the 
20 machines which have some kind of relevance to the cur- 
rently investigated machine, i.e. if they have dependen- 
cies to the transitions in the currently investigated. 
This iterative process may continue until certain result 
is obtained. A desired result could for instance be a 
25 verification that a given machine state can be brought 
into the set of possible states A. 

It is evident that the above, preferred embodiment may 
reduce the duration of the iterations significantly, as 
30 the method, so to speak, dynamically neglects the part of 
the system model which comprises no relevant information 
for the currently investigated transitions and/or ma- 
chines . 
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The present invention provides a technique that signifi- 
cantly improves the performance of e.g. symbolic model 
checking on embedded reactive systems modeled using a 
state/event model or other state based models such as 
5 state charts. 

The invention thus improves the convenience of utilizing 
state based models, e.g. the control portion of embedded 
reactive systems, including smaller systems, such as cel- 
10 lular phones, hi-fi equipment, and cruise controls for 
cars, and large systems, such as train simulators, flight 
control systems, telephone and communication protocols. 
The method according to the invention may thus e.g. be 
used in commercial tools to assist in developing embedded 
15 reactive software by allowing the designer to construct a 
state based model and analyze it by either simulating it 
or by running a consistency check. The tool automatically 
generates the code for the hardware of the embedded sys- 
tem.. The consistency check is in fact a verification 
20 tool that checks for a range of properties that any state 
based model should have. Some of the checks must be 
passed for the generated code to be correct, for in- 
stance, it is crucial that the model is deterministic. 
Other checks are issued as warnings that might be design 
25 errors such as transitions that can never fire. 

State based models can be extremely large. And unlike in 
traditional model checking, the number of checks is at 
least linear in the size of the model. The present inven- 
30 tion reports results for models with up to 1421 concur- 
rent state machines, and even much larger systems can 
easily be handled. For systems of this size, traditional 
symbolic model checking techniques fail, even when using 
a partitioned transition relation and backward iteration. 
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The present invention uses a compositional technique that 
initially considers only a few machines in determining 
satisfaction of the verification task and, if necessary, 
5 gradually increases the number of considered machines. 
The machines considered may advantageously be determined 
using a dependency analysis of the structure of the sys- 
tem. 

10 A number of large state based models from industrial ap- 
plications have been verified, and even the above- men- 
tioned model with 1421 concurrent machines can be veri- 
fied with modest resources. Compared with known analysis 
tools the results improve on the efficiency of checking 

15 the smaller instances and dramatically increase the size 
of systems that can be verified. 

When the analyzing is terminated negatively after said 
step of expanding the goal set (A) with a set of states 

20 which can be brought into the previous goal set (A) inde- 
pendently of machines not included in (MI) if none of the 
machines in (MI) are dependent on machines outside (MI), 
a valid estimate of the system behavior is obtained, as 
the method according to the invention has been provided, 

25 since, when terminated when none of the machines in MI 
are dependent on machines outside MI, it can be evidently 
proved that the test criteria cannot be reached. Thus, 
the designers of even very large scale state based sys- 
tems have the possibility of forecasting potential run- 

30 time problems . 

It should be noted that the negative termination, of 
course, will be absolutely necessary in many applica- 
tions, as an exact negative indication will often be of 
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great value. In many types of analyses this negative in- 
dication is in fact what the user is looking for. Hence, 
it will be appreciated that the negative automatic termi- 
nation itself will be of great importance, and the method 
5 of the invention will be far more effective and user- 
friendly when a kind of automatic termination is incorpo- 
rated in the method when further iterations are meaning- 
less. It should nevertheless be emphasized that other 
than this optimal stop criteria can be used. 

10 

On the other hand, the invention has the possibility of 
providing exact knowledge when speaking about positive 
control of test criteria representing non-desired states 
or combinations of states. Hence, if the method according 

15 to the invention proves that a certain state or a combi- 
nation, of states cannot be obtained under certain condi- 
tions, it can evidently be assumed that this situation 
will not occur in a real-life situation, even though the 
invention in fact utilizes only a part of the system. 

20 model during the dynamic test situation. This feature is 
very important when speaking about a wide spectrum of 
process applications in which a fault, i.e. a non-desired 
state, may cause severe damage or confusion. 

25 It should thus be emphasized that a negative as well as a 
positive termination of the analysis according to the in- 
vention may be determined with certainty, which is an ex- 
tremely useful and valuable feature when performing tests 
on system models. The invention provides both a very high 

30 speed application and accurate and reliable results. 

The information following the positive. or negative termi- 
nation can thus be adapted to represent any desired test 
condition . 
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Another aspect of the present embodiment of the invention 
is that optimal termination criteria may be of great im- 
portance in a large number of applications, as unneces- 
5 sary iterations should be avoided, if possible. The above, 
mentioned positive and negative stop criteria ensure that 
all, but no more than the necessary iterations will be 
calculated with respect to a reachability analysis. A 
person skilled in the art will be able to adapt the 
10 method of the invention to other desired analysis pur- 
poses. 

When a visual or audio indication is provided to a user 
if, after said step of expanding the goal set (A) with a 
15 set of states which can be brought into the previous goal 
set (A) independently of machines not included in (MI), 
none of the machines in (MI) are dependent on machines 
outside (MI), a convenient environment of the information 
provided to a user is obtained. 

20 

It should be noted that a user-friendly interface is of 
even greater importance when a fast interactive process 
of analyzing can be expected. Not only may the process of 
analyzing a given system model be accelerated, but the 
25 whole design procedure of a state based system model may 
be shortened considerably. 

When the analysis is terminated upon a request from the 
user, a further advantageous user interface is obtained. 
30 Such a kind of interface may e.g. be advantageous when 
handling large scale systems. Again, as mentioned above, 
it should be emphasized that the need for a user-friendly 
interface grows with the capability, of the analysis 
method. 
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When the dependencies (D) are represented as a directed 
graph, a further advantageous embodiment is achieved. 

5 A representation as a directed graph, which in itself is 
a well known data structure for representing dependencies 
between arbitrary objects, is a very convenient and opti- 
mal approach usable for a wide spectrum of analyzing ap- 
plications. 

10 

When the increasing sets of machines (MI) are determined 
by a breadth-first traversal of the directed graph repre- 
senting dependencies, a further advantageous embodiment 
is achieved, as it leads to a minimum dependency closed 
15 MI, and thus a fast termination. 

This is due to the fact that it includes only the ma- 
chines, on which MI is immediately dependent. 

20 Moreover this method is very efficiently computable. 

When the sets of machine states are represented as Re- 
duced Ordered Binary Decision Diagrams (ROBDD's) and the 
operations upon them are carried out as efficient opera- 
25 tions on Reduced Ordered Binary Decision Diagrams 
(ROBDD's), a further advantageous embodiment according to 
the invention is obtained. 

Thus, efficient operations computing the image of a tran- 
30 sition relation on a set of states can be obtained. It 
should be noted that a computation of the image of a 
transition relation requires the transition relation to 
be represented as a single ROBDD, which may sometimes 
cause problems due to a large size of the representation. 
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In these cases the transition relation can be more effi- 
ciently represented as a disjunction or conjunction of 
smaller relations called a partitioned transition rela- 
tion. 

5 

When the transitions relation is represented as a parti- 
tioned transitions of Reduced Ordered Binary Decision 
Diagrams (ROBDD's), and the set of states (A) are dynami- 
cally computed by an iterative fixed-point iteration, a 
10 simple and efficient operation of the invention is ob- 
tained implemented by well known techniques in the art. 

When the dynamic. behaviour of said machines (Ml,..,Mn) is 
defined by predefined transitions between said states of 
15 each machine (Ml,.. /Mix) and dependencies (D) between said 
machines (Ml, ,.,Mn), 

for each machine (Ml, . . ,Mi, . . ,Mn) 

20 a subset of machines (MI) is initiated to comprise the 
currently analyzed machine (Mi) 

a set (Ai) of living states (Ai) is initiated, said liv- 
ing states being the machine states of the currently ana- 
25 lysed machine (Mi) which, independently of other ma- 
chines, may change state to other possible states 
(pSIMi, ...,pSkMi) of said machine 

the following steps are initiated until the analysis has 
30 terminated or if (MI) comprises all machines (Ml,..,Mn) 

the set of living states (Ai) is expanded with a set of 
states which via transitions can be brought into the pre- 
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vious set of living states (Ai) independently of machines 
not included in (MI) 

and/or a set of states which via transitions can be 
brought to change state of (Mi) independently of machines 
5 not included in (MI) 

the analysis is terminated positively if (Ai) comprises 
all possible machine states in said machine (Mi) , 
otherwise (MI) is expanded with at least a subset of the 
machines, a further advantageous embodiment is achieved. 

10 

As will be understood, the present embodiment of the in- 
vention will provide the possibility of detecting all the 
global states, i.e. a set of machine states, for each ma- 
chine which may have the possibility to change state un- 
15 der certain possible conditions. Such states will be re- 
garded as living states according to the present termi- 
nology. 

It is moreover evident that determination of all the liv- 
20 ing states of each machine may give an indication of pos- 
sible inherent traps, as a machine state for which a 
given machine which has no possible transitions to other 
states may be potential dangerous states, or so-called 
potential dead states. 

25 

It should nevertheless be emphasized that a potential 
dead state does not necessarily represent an undesired or 
illegal state. The determined state or states must in 
fact only be critical if they can be reached from known 
30 or given initial system conditions. 

When the invention furthermore comprises the steps of 
each machine (Mi) having potential dead machine states 
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(Adi) initiating an initial set of machine . states (F) of 
said machine (Ml, . . ,Mn) 

initiating a goal set of machine states (Adi) represent- 
5 ing the potential dead machine states of machines (MI), 
and 

repeating the following steps until the analyzing has 
terminated and/or if the subset of machines (MI) com- 
10 prises all of said machines (Ml,..,Mn) 

expanding the goal set (Adi) with a set of states which 
via transitions can be brought into the previous goal set 
(Adi) independently of machines not included in (MI) , 
15 if (Adi) comprises at least one of the states in the ini- 
tial set of states (F) then terminating positively, 
otherwise expanding the subset of machines (MI) with at 
least a subset of the. machines (Ml,..,Mn), 

20 further important knowledge about the investigated system 
model is obtained. 

The meaning of a positive termination in the above em- 
bodiment of the invention is thus not especially posi- 

25 tive, as it has now been determined that the investigated 
state or combination of potential dead states can actu- 
ally be reached. A dead-lock has thus been determined, 
and the machine Mi comprising the determined state or 
states will not be able to change state, no matter what. 

30 happens in the surrounding system. 

When the method of the invention comprises determining 
for at least one machine (Mi), at least one of, prefera- 
bly all, the potential dead machine states (Adi) which, 
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when said machine (Mi) is in any of said machine states 
(Adi), independently of possible external events, will 
remain in the same machine state (Adi)/ 

5 for each machine (Mi) having potential dead machine 
states (Adi) initiating an initial set of. machine states 
(F) of said machines (Ml,..,Mn) 

initiating a goal set of machine states (Adi) represent - 
10 ing the potential dead machine states of machines (MI) , 
and 

repeating the following steps until the analysis has ter- 
minated and/or if the subset of machines (MI) comprises 
15 all of said machines (Ml,..,Mn) 

expanding the goal set (Adi) with a set of states which 
via transitions can be brought into the previous goal set 
(Adi) independently of machines not included in (MI) , 
20 if (Adi) comprises at least one of the states in the 
initial set of states (F) then terminating positively, 
otherwise expanding the subset of machines (MI) with at 
least a subset of the machines (Ml,..,Mn) 

25 a very preferred embodiment of the invention is obtained, 
as a real dead-lock has been detected. 

The invention provides a convincing method of detecting a 
very unpleasant type of faults, as a deadlock would cause 
30 a system, such as a state based system, to enter an end- 
less loop, causing stressing and unreasonable working 
conditions for the user, at best. 
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It is evident that detection of reachable dead-locks in a 
system model provides extremely valuable information to 
the system designer, as an undetected dead-lock fault may 
cause severe damage if it should be detected or experi- 
5 enced by a user of a released product. Moreover, it 
should be emphasized that a fast dead-lock detection, as 
well as other test criteria, such as the above-mentioned 
verification analysis, will provide an impressive work 
tool to a market which is extremely sensitive to release 
10 delays and dependent on short term design phases. 



Brief description of the drawings 

The present invention is illustrated by vary examples and 
15 not as a limitation in the figures of the accompanying 
drawings, in which 

Figs. 1-4 illustrate the basic machines of an embodi- 
ment of the invention, 

20 

Fig. 5 illustrates the combinations of the machines with 
the mutual dependencies between the machines of figs. 2- 
4, 

25 Figs. 6-8 illustrate a first example of an embodiment 
of the invention, 

Figs. 9-10 illustrate a second example of an embodiment 
of the invention, 

30 

Figs. 11 and 12 illustrate a third example of an embodi- 
ment of the invention, 



